Dynamic PSK for hotspots

ABSTRACT

Systems and methods for providing secured network access are provided. A user device located within range of a hotspot initiates a request sent via an open communication network associated with the hotspot. The request concerns secured network access at the hotspot by the user device. A unique pre-shared key is generated for the user device based on information in the received request and transmitted over the open communication network for display on a webpage accessible to the user device. The unique pre-shared key is stored in association with information regarding the user device. The user device may then use the unique pre-shared key in subsequent requests for secured network access.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation and claims the priority benefit of U.S. patent application Ser. No. 13/370,201 filed Feb. 9, 2012, the disclosure of which is incorporated herein by reference.

BACKGROUND

1. Field of the Invention

The present invention generally relates to wireless hotspots. More specifically, the present invention relates to dynamic pre-shared key (PSK) for wireless hotspots.

2. Description of the Related Art

An increasing number of individuals and businesses rely on wireless services to carry out various transactions and enable communication from remote locations. Many businesses such as hotels and coffee houses have sought to capitalize on this trend and offer free wireless access to attract and retain customers. A business offering such wireless access may do by creating a “hotspot”—a location that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider.

Many hotspots only offer open and unsecured communications. Some users, however, may wish to engage in communications or transactions that involve personal, sensitive, or proprietary information that is not necessarily suited for an open and unsecured communications network. As such, users may wish for such transactions be conducted in a secure manner, such that such information may not be exposed or stolen.

Implementing security features is complicated, difficult to maintain, and requires a high level of technical knowledge. An additional complication is that users at a hotspot may be continually changing. Authentication relying on 802.1x/EAP is not a practical option as hotspot users may vary widely in security needs. Setting up a RADIUS server on a network backend may likewise be complicated and unwieldy.

Pre-shared key (PSK)-based security systems require that a secret be manually entered onto all user devices using the network. A PSK-based system relies on a secret shared between and stored at both the client station and the access point. The secret may be, for example, a long bit stream, such as a passphrase, a password, a hexadecimal string, or the like. Used by a client station and the access point to authenticate each other, the secret may also be used to generate an encryption key set.

A disadvantage to PSK-based systems is that once the shared secret becomes known to unauthorized personnel, the security of the entire network is compromised. This may pose a problem where network access is provided to an ever-changing set of numerous, diverse, and transient mobile users. Generally, to maintain the security of a PSK-based system, the secret must be changed on all client stations whenever a person with knowledge of the secret departs from the organization or is no longer authorized to access the network. As a result, many commercial organizations (e.g., small- and medium-sized businesses or enterprises with a high degree of turn over) have been unable to deploy security measures around their hotspots, because of their lack of expertise and/or full-time professional technical support.

There is, therefore, a need in the art for improved systems and methods for providing secure network access at hotspots

SUMMARY OF THE CLAIMED INVENTION

Embodiments of the present invention include systems and methods for providing secured network access at a hotspot. A user device located within range of the hotspot initiates a request to be sent via an open communication network associated with the hotspot. The request concerns secured network access at the hotspot by the user device. In response, a unique pre-shared key is generated for the user device based on information in the received request and transmitted over the open communication network for display on a webpage accessible to the user device. The unique pre-shared key is also stored in association with information regarding the user device. The user device may then use the unique pre-shared key in subsequent requests for secured network access.

Various embodiments of the present invention include methods for providing secured network access at a hotspot. Such methods may include receiving a request initiated by a user device located within a range of a hotspot. The request is sent via an open communication network associated with the hotspot and concerning secured network access at the hotspot by the user device. Methods may further include generating a unique pre-shared key for the user device based on information in the received request, transmitting the unique pre-shared key over the open communication network for display on a webpage accessible to the user device, and storing the unique pre-shared key in association with information regarding the user device. The user device may then the unique pre-shared key in a subsequent request for secured network access.

Additional embodiments include apparatuses for providing secured network access at a hotspot. Such apparatuses may include an interface for receiving an incoming requests initiated by a user device located within a range of a hotspot concerning secured network access at the hotspot by the user device, a processor for executing instructions stored in memory to generates a unique pre-shared key for the user device based on information in the received request, and a database in memory for storing the unique pre-shared key in association with information regarding the user device. The unique pre-shared key is transmitted over the open communication network for display on a webpage accessible to the user device. The user device may then the unique pre-shared key in a subsequent request for secured network access.

Embodiments of the present invention may further include systems for providing secured network access at a hotspot. Such systems may include an access point associated with a hotspot and providing both open access over an open communication network and secured network access based on a pre-shared key. Systems may further include a hotspot controller for receiving an incoming request initiated by a user device concerning secured network access at the hotspot, generating a unique pre-shared key for the user device based on information in the received request, storing the unique pre-shared key in association with information regarding the user device, and transmitting the unique pre-shared key over the open communication network for display on a webpage accessible to the user device. The user device may then the unique pre-shared key in a subsequent request for secured network access.

Other embodiments of the present invention include non-transitory computer-readable storage media on which is embodied instructions executable to providing secured network access at a hotspot in general accordance with the method previously set forth above.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a network environment in which a system for providing secured network access at a hotspot may be implemented.

FIG. 2 illustrates a method for providing secured network access at a hotspot.

DETAILED DESCRIPTION

Embodiments of the present invention provide systems and methods for secured network access at a hotspot. A user device located within range of the hotspot initiates a request to be sent via an open communication network associated with the hotspot. The request concerns secured network access at the hotspot by the user device. In response, a unique pre-shared key is generated for the user device based on information in the received request and transmitted over the open communication network for display on a webpage accessible to the user device. The unique pre-shared key is also stored in association with information regarding the user device. The user device may then use the unique pre-shared key in subsequent requests for secured network access.

FIG. 1 illustrates a network environment 100 in which a system for secured network access at a hotspot may be implemented. Network environment 100 may include a user devices 110 and a ‘hotspot’ including access point 130 and that provides open communication network 120A and secured communication network 120B. The network environment 100 may further include web portal server 140 and a hotspot controller 150.

Users may use any number of different wireless user devices 110 such as notebook, netbook, and tablet computers with WiFi capability, smartphones with WiFi capability, or any other type of wireless computing device capable of communicating over communication networks 120. User device 110 may also be configured to access data from other storage media, such as memory cards or disk drives as may be appropriate in the case of downloaded services. User device 110 may include standard hardware computing components such as network (e.g., wireless) and media interfaces, non-transitory computer-readable storage (memory), and processors for executing instructions that may be stored in memory.

Communication networks 120A-B may convey various kinds of information to user devices, such as user device 110. Communication networks 120A-B may be a local, proprietary network (e.g., an intranet) and/or may be a part of a larger wide-area network. The communications network 110 may be a local area network (LAN), which may be communicatively coupled to a wide area network (WAN) such as the Internet. The Internet is a broad network of interconnected computers and servers allowing for the transmission and exchange of Internet Protocol (IP) data between users connected through a network service provider. Examples of network service providers are the public switched telephone network, a cable service provider, a provider of digital subscriber line (DSL) services, or a satellite service provider. Communications networks 120A-B allow a connecting device (e.g., user device 110 to access the Internet. Open communication network 120A is open and unsecured. As such, any user device 110 may be able to connect to the open communication network 120A without (much) restriction. In contrast, secured communication network 120B may involve various security policies and protocols so that communications to and from user device 110 may remain secure.

Communication networks 120A-B are provided by a hotspot access point 130, which can transmit various electromagnetic waves. Examples of wireless protocols that might be used by hotspot access point 130 include IEEE 802.11 (Wi-Fi or Wireless LAN), IEEE 802.16 (WiMAX), or IEEE 802.16c network. Hotspot may be inclusive or a number of wireless transceivers distributed over an area.

Access point 130 includes, at the least, an antenna system, radio, memory, and processor. The antenna system wirelessly receives and transmits data packets. For example, the antenna system can receive packet data such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packet data using the IEEE 802.11 wireless protocol. Radio converts data into the requisite wireless protocols. Various instructions governing the control of the access point 130 are stored in memory and executed by processor.

One or more wireless or wired connections may be created to allow for data transmission between access point 130 and user device 110 (via communication networks 120A-B) as well as web portal server 140, hotspot controller 150, and various other access points in network environment 100. The antenna may further include selectable antenna elements like those disclosed in U.S. Pat. No. 7,292,198 for a “System and Method for an Omnidirectional Planar Antenna Apparatus,” the disclosure of which is incorporated herein by reference. Hotspot access point 130 may also utilize various transmission parameter controls like those disclosed in U.S. Pat. No. 7,889,497 for a “System and Method for Transmission Parameter Control for an Antenna Apparatus with Selectable Elements,” the disclosure of which is incorporated herein by reference.

Web portal server 140 may include any type of server or other computing device as is known in the art for providing access to the Internet (web). Web portal server 140 may include standard hardware computing components such as network and media interfaces, non-transitory computer-readable storage (memory), and processors for executing instructions or accessing information that may be stored in memory. The functionalities of multiple servers may be integrated into a single server. Any of the aforementioned servers (or an integrated server) may take on certain client-side, cache, or proxy server characteristics. These characteristics may depend on the particular network placement of the server or certain configurations of the server. When a user device 110 requests secure network access, the request may be redirected to web portal server 140, which may convey the request to hotspot controller 150.

Hotspot controller 150 manages the one or more hotspot access points 130 in network environment 100. As such, the hotspot controller 150 intelligently manages the hotspot wireless services, including deployment, RF assignments, traffic/load balancing, and security. In terms of security, for example, the hotspot controller 150 may receive a request that a user device 110 be allowed to use the secured communication network 120B. Hotspot controller 150 dynamically generates a unique pre-shared key for the requesting user device 110 and return the key to web portal server 140, which in turns generates a web page displaying the unique pre-shared key to the user device 110. User device 110 may then use the pre-shared key in a request to access secure communication network 120B.

FIG. 2 illustrates a method 200 for providing secure network access at a hotspot. The method 200 of FIG. 2 may be embodied as executable instructions in a non-transitory computer readable storage medium including but not limited to a CD, DVD, or non-volatile memory such as a hard drive. The instructions of the storage medium may be executed by a processor (or processors) to cause various hardware components of a computing device hosting or otherwise accessing the storage medium to effectuate the method. The steps identified in FIG. 2 (and the order thereof) are exemplary and may include various alternatives, equivalents, or derivations thereof including but not limited to the order of execution of the same.

In method 200 of FIG. 2, a user device connects to an open communication network hosted by a hotspot access point. The request is redirected to a web portal server, which requests a pre-shared key from a hotspot controller. The hotspot controller may generate and return the unique pre-shared key to the web portal server, which generates a webpage displaying the unique pre-shared key to the user device. The user device may then use the unique pre-shared key to access the secure communication network.

In step 210, a user device 110 connects to an open communication network 120A provided by hotspot access point 130. For some network activity (e.g., reading the news), the user may not necessarily require security and the use of the open communication network 120A may be sufficient. Some transactions (e.g., financial or business related) may require additional security so as to ensure that sensitive information is not exposed or misappropriated by other users of the open communication network 120A. The user of device 110 may be offered access to the secured communication network 120B as an option. Upon selection of that offering, a user request for access to the secure communication network 120B may be sent over the open communication network 120A. Connection to the open communication network 120A may, in some implementations, automatically initiate a request for secure access to the secured communication network 120B.

In step 220, the request for secure network access is redirected to web portal server 140. In addition to information regarding the particular user device 110, the access request may include information concerning various policies and parameters as determined by the particular entity (e.g., business) providing wireless access at the hotspot. These parameters and policies may include information used to configure a wireless device for connection to a restricted wireless network and access policies related to the same, such as a wireless network name, wireless device parameters, adapter configurations, security-related parameters, access constraints, quality of service parameters, security-related parameters, expiration date of the secure access, limits on session duration, bandwidth, user identity, user rewards, and access policies.

In step 230, the web portal server 140 submits a request for a unique pre-shared key to hotspot controller 150. Assigning each individual user/user device 110 a unique pre-shared key ensures that third-parties cannot eavesdrop on or otherwise access information belonging to another user accessing the network by way of device 110. Because each pre-shared key is unique, the encryption (and decryption) of information belonging to one particular user is different from that for any other user. Moreover, when the user leaves the hotspot, the unique pre-shared key assigned to that user/user device 110 does not need to be changed to maintain security for users remaining in the hotspot.

In step 240, the hotspot controller 150 generates a unique pre-shared key for the requesting user device 110 and sends the generated unique pre-shared key to the web portal server 140. Hotspot controller 150 may randomly generate the unique pre-shared secret for each user device 110 using various algorithms and formulas. By providing for randomly generated and unique keys, hotspot controller 150 increases the difficulty of illicitly gaining accessing user information by deducing the secret of any particular user. The unique pre-shared key may further be registered to the user of the user device based on user information provided in the request.

Hotspot controller 150 may also store information associating the particular key with the requesting user device 110. Where a particular business providing the hotspot wishes to apply certain policies and parameters, those policies and parameters may also be stored. A hotel, for example, may wish to provide frequent guests with greater bandwidth than other guests. As such, information regarding the guest identity, the user device 110 belonging to the guests (e.g., as identified by MAC address) and the amount of bandwidth allotted may also be stored in association with the unique pre-shared key.

In step 250, the web portal server 140 generates a webpage to display the unique pre-shared key to the user of user device 110.

In step 260, the unique pre-shared key is entered into user device 110, either manually by the user (e.g., a cut and paste operation), via user selection (e.g., execution of a script associated with a ‘install’ button), or automatically as a result of instructions embedded with a pre-shared key download package. A subsequent request for access to the secure communication network 120B is generated based on the unique pre-shared key. In some instances, the unique pre-shared key may be bundled as part of a package that may be installed automatically or upon request on the user device 110. The package may include any applications, policies, or parameters required for connection to the secure communication network 120B. For example, an application may be downloaded to the wireless device and executed to survey, configure (e.g., install parameters and policies), and/or connect the wireless device to the secured communication network 120B. The unique pre-shared key may then be used to authenticate the user device 110 so that the user device 110 can access the secured communication network 120B according to the installed policies and parameters.

The present invention may be implemented in a variety of devices. Non-transitory computer-readable storage media refer to any non-transitory storage medium or media that participate in providing instructions to a central processing unit (CPU) for execution. Such media can take many forms, including, but not limited to, non-volatile and volatile media, which may include optical disks, dynamic memory, floppy disks, flexible disks, hard disks, magnetic tape, any other magnetic medium, CD-ROM disks, digital video disks (DVDs), any other optical medium, RAM, PROM, EPROM, a FLASHEPROM, and any other memory chip or cartridge.

Various forms of transmission media may be involved in carrying one or more sequences of one or more instructions to a CPU for execution. A bus carries the data to system RAM, from which a CPU retrieves and executes the instructions. The instructions received by system RAM can optionally be stored on a fixed disk either before or after execution by a CPU. Various forms of storage may likewise be implemented as well as the necessary network interfaces and network topologies to implement the same.

While various embodiments have been described above, it should be understood that they have been presented by way of example only, and are not intended to limit the scope of the invention to the particular forms set forth herein. To the contrary, the present descriptions are intended to cover such alternatives, modifications, and equivalents as may be included within the spirit and scope of the invention as defined by the appended claims and otherwise appreciated by one of ordinary skill in the art along with their full scope of equivalents. 

What is claimed is:
 1. A method for providing secured network access, the method comprising: storing information in memory of a hotspot controller, the stored information regarding a plurality of user devices each associated with a different pre-shared key unique to the respective user device; receiving a request initiated by a user device located within a range of a hotspot associated with the hotspot controller, the request sent via an open communication network associated with the hotspot and concerning access to a secured communication network associated with the hotspot, wherein the request initiated by the user device is redirected by an intermediary web portal server to the hotspot controller; and executing instructions stored in memory of the hotspot controller, wherein execution of the instructions by a hardware processor: identifies a pre-shared key included in the request from the requesting user device, accesses the stored information to determine that the identified pre-shared key is associated with the requesting user device, authenticates the requesting user device based on the identified pre-shared key and the stored information, and grants the requesting user device access to the secured communication network associated with the hotspot, wherein communications by the requesting user device in the secured communications network are encrypted based on the identified pre-shared key, and wherein communications by each other user device in the secured wireless network are encrypted based on the respective different pre-shared key unique to the other user device.
 2. The method of claim 1, wherein the stored information regarding the requesting user device includes at least one parameter, and wherein access to the secured communication network granted to the requesting user device is governed at least in part by the at least one parameter.
 3. The method of claim 2, wherein the at least one parameter includes one or more of the following: expiration date, session duration, bandwidth, user identity, user rewards, or access policies.
 4. The method of claim 3, wherein the user rewards comprises adjusting bandwidth provided to the requesting user device based on the stored information regarding a user of the requesting user device.
 5. The method of claim 1, wherein encryption in accordance with the pre-shared key of the requesting user device is different than encryption in accordance with the different pre-shared keys associated with other user devices.
 6. The method of claim 1, wherein a downloaded application connects the requesting user device to the secured wireless communication network.
 7. An apparatus for providing secured network access, the apparatus comprising: memory that stores information regarding a plurality of user devices each associated with a different pre-shared key unique to the respective user device; a communication interface that receives a request initiated by a user device located within a range of a hotspot, the request sent via an open communication network associated with the hotspot and concerning access to a secured communication network associated with the hotspot, wherein the request initiated by the user device is redirected by an intermediary web portal server t to the hotspot controller; and a hardware processor for executing instructions stored in memory, wherein execution of the instructions by the hardware processor: identifies a pre-shared key included in the request from the requesting user device, accesses the stored information to determine that the identified pre-shared key is associated with the requesting user device, authenticates the requesting user device based on the identified pre-shared key and the stored information, and grants the requesting user device access to the secured communication network associated with the hotspot, wherein communications by the requesting user device in the secured communications network are encrypted based on the identified pre-shared key, and communications by each other user device are encrypted based on the respective different pre-shared key unique to the other user device.
 8. The apparatus of claim 7, wherein the stored information regarding the requesting user device includes at least one parameter, and wherein access to the secured communication network granted to the requesting user device is governed at least in part by the at least one parameter.
 9. The apparatus of claim 8, wherein the at least one parameter includes one or more of the following: expiration date, session duration, bandwidth, user identity, user rewards, or access policies.
 10. The apparatus of claim 9, wherein the user rewards comprises adjusting bandwidth provided to the requesting user device based on the stored information regarding a user of the requesting user device.
 11. The apparatus of claim 7, wherein encryption in accordance with the pre-shared key of the requesting user device is different than encryption in accordance with the different pre-shared keys associated with other user devices.
 12. The apparatus of claim 7, wherein a downloaded application connects the requesting user device to the secured wireless communication network.
 13. A system for providing secured network access, the system comprising: an access point associated with a hotspot, the access point providing both: open access over an open communication network, and secured network access over a secured communication network based on a pre-shared key; an intermediary web portal server, wherein a request initiated by a user device located within a range of the hotspot is redirected to the intermediary web portal server, the request sent via the open communication network and concerning access to the secured communication network at the hotspot by the user device; and a hotspot controller comprising: memory that stores information regarding a plurality of user devices each associated with a different pre-shared key unique to the respective user device; a communication interface that receives the request from the intermediary web portal server; and a hardware processor for executing instructions stored in memory, wherein execution of the instructions by the hardware processor: identifies a pre-shared key included in the request from the requesting user device, accesses the stored information to determine that the identified pre-shared key is associated with the requesting user device, authenticates the requesting user device based on the identified pre-shared key and the stored information, and grants the requesting user device access to the secured communication network associated with the hotspot, wherein communications by the requesting user device in the secured communications network are encrypted based on the identified pre-shared key, and communications by each other user device are encrypted based on the respective different pre-shared key unique to the other user device.
 14. The system of claim 13, wherein the stored information regarding the requesting user device includes at least one parameter, and wherein access to the secured communication network granted to the requesting user device is governed at least in part by the at least one parameter.
 15. The system of claim 14, wherein the at least one parameter includes one or more of the following: expiration date, session duration, bandwidth, user identity, user rewards, or access policies.
 16. The system of claim 15, wherein the user rewards comprises adjusting bandwidth provided to the requesting user device based on the stored information regarding a user of the requesting user device.
 17. The system of claim 13, wherein encryption in accordance with the pre-shared key of the requesting user device is different than encryption in accordance with the different pre-shared keys associated with other user devices.
 18. The system of claim 13, wherein a downloaded application connects the requesting user device to the secured wireless communication network.
 19. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a hardware processor to perform steps for providing secured network access, the steps comprising: storing information regarding a plurality of user devices each associated with a different pre-shared key unique to the respective user device; receiving a request initiated by a user device located within a range of a hotspot, the request sent via an open communication network associated with the hotspot and concerning access to a secured communication network associated with the hotspot, wherein the request initiated by the user device is redirected by an intermediary web portal server to the hotspot controller; identifying a pre-shared key included in the request from the requesting user device; accessing the stored information to determine that the identified pre-shared key is associated with the requesting user device; authenticating the requesting user device based on the identified pre-shared key and the stored information; and granting the requesting user device access to the secured communication network associated with the hotspot, wherein communications by the requesting user device in the secured communications network are encrypted based on the identified pre-shared key, and communications by each other user device are encrypted based on the respective different pre-shared key unique to the other user device. 